Wednesday, March 29, 2017

Your privacy at a price

By now, you've probably heard of J.Res.34, which will permit your Internet Service Provider at home to sell your browsing data to others. I admit that this wasn't on my tech radar until it happened. That's because this bill is extremely stupid and I assumed it would never pass.

I agree with the items in the article. I think the loss of privacy will be the first thing the general public will recognize in this. The other points are also important, but they aren't as visible as privacy. Now your ISP can sell your browsing habits, including your visits to Google, GMail, Amazon, Target, Apple, Hulu, Netflix, YouTube, CNN, BBC News, Facebook, Twitter, porn, etc.

I suspect the first thing ISPs will do is monetize your online activity at a broad level. They can very easily identify when your home is passing the most traffic. Do you go online in the morning, reading the news over breakfast? Do you do much online activity in the evening? Advertisers can use this information in various ways to build a better picture of you.

After that, I think ISPs will monetize DNS lookups. That gives a broad look at what you are doing. And it's relatively straightforward to create a log of DNS lookups. What websites do you visit most often? When do you visit them? By itself, that's very bad for privacy. But people can use other DNS providers (like Google Public DNS) so this will not be the final step.

From there, I think ISPs will do deep packet inspection. By inspecting traffic at greater detail, the ISP can see what pages you are looking at. That's where they will unravel your "https" request and create what's called a "Man in the Middle" (MITM). There are products that do this today, for corporate networks. And the EFF article correctly points out that this creates a security vulnerability. So now you don't have to worry if your browser is up to date on security, you have to worry if your ISP's MITM is up to date on security.

I fear the day that ISPs decide to insert ads into your browsing experience. This will not go over well. Imagine an H&R Block ad appearing on the Apple.com website around tax time, because your ISP inserted an ad. That happened. Other ISPs have tried inserting ads on web pages before, and received such negative feedback they stopped doing it. But I think that day is coming back.

More likely over the long term is we'll see ISPs offering another tier of service. "Don't want us to sell your data? Upgrade to our Privacy-plus plan for an extra $20/month." But by then, will you trust your ISP anymore?